Why Do Cloud Computing Security Issues Exist?

In the cloud, data is stored with a third-party provider and accessed over the internet. This means visibility and control over that data is limited. It also raises the question of how it can be properly secured. It is imperative everyone understands their respective role in cloud security.

Cloud service providers treat cloud security risks as a shared responsibility. In this model, the cloud service provider covers security of the cloud itself, and the customer covers security of what they put in it. In every cloud service—from software-as-a-service (SaaS) like Microsoft Office 365 to infrastructure-as-a-service (IaaS) like Amazon Web Services (AWS)—the cloud customer is always responsible for protecting their data from security threats and controlling access to it.

Figure 1. Shared responsibility for security between cloud providers and their customers.

Most cloud computing security risks are related to data security. Whether a lack of visibility to data, inability to control data, or theft of data in the cloud, most issues come back to the data customers put in the cloud. Read below for an analysis of the top cloud security issues in SaaS, IaaS, and private cloud, placed in order by how often they are experienced by enterprise organizations around the world.1

Lack of staff with the skills to manage security for cloud applications

Inability to prevent malicious insider theft or misuse of data

Advanced threats and attacks against the cloud application provider

Inability to assess the security of the cloud application provider’s operations

Inability to maintain regulatory compliance

Issues experienced with SaaS applications are naturally centered around data and access because most shared security responsibility models leave those two as the sole responsibility for SaaS customers. It is every organization’s responsibility to understand what data they put in the cloud, who can access it, and what level of protection they (and the cloud provider) have applied.

It is also important to consider the role of the SaaS provider as a potential access point to the organization’s data and processes. Developments such as the rise of XcodeGhost and GoldenEye ransomware emphasize that attackers recognize the value of software and cloud providers as a vector to attack larger assets. As a result, attackers have been increasing their focus on this potential vulnerability. To protect your organization and its data, make sure you scrutinize your cloud provider’s security programs. Set the expectation to have predictable third-party auditing with shared reports, and insist on breach reporting terms to complement technology solutions.

Cloud workloads and accounts being created outside of IT visibility (e.g., shadow IT)

Incomplete control over who can access sensitive data

Theft of data hosted in cloud infrastructure by malicious actor

Lack of staff with the skills to secure cloud infrastructure

Lack of visibility into what data is in the cloud

Inability to prevent malicious insider theft or misuse of data

Lack of consistent security controls over multi-cloud and on-premises environments

Advanced threats and attacks against cloud infrastructure

Inability to monitor cloud workload systems and applications for vulnerabilities

Lateral spread of an attack from one cloud workload to another

Protecting data is critical in IaaS. As customer responsibility extends to applications, network traffic, and operating systems, additional threats are introduced. Organizations should consider the recent evolution in attacks that extend beyond data as the center of IaaS risk. Malicious actors are conducting hostile takeovers of compute resources to mine cryptocurrency, and they are reusing those resources as an attack vector against other elements of the enterprise infrastructure and third parties.

When building infrastructure in the cloud, it is important to assess your ability to prevent theft and control access. Determining who can enter data into the cloud, tracking resource modifications to identify abnormal behaviors, securing and hardening orchestration tools, and adding network analysis of both north–south and east–west traffic as a potential signal of compromise are all quickly becoming standard measures in protecting cloud infrastructure deployments at scale.

An important factor in the decision-making process to allocate resources to a public vs. private cloud is the fine-tuned control available in private cloud environments. In private clouds, additional levels of control and supplemental protection can compensate for other limitations of private cloud deployments and may contribute to a practical transition from monolithic server-based data centers.

At the same time, organizations should consider that maintaining fine-tuned control creates complexity, at least beyond what the public cloud has developed into. Currently, cloud providers take on much of the effort to maintain infrastructure themselves. Cloud users can simplify security management and reduce complexity through abstraction of controls. This unifies public and private cloud platforms above and across physical, virtual, and hybrid environments.

Recommendations for mitigating the top security issues in cloud computing

Your organization is using cloud services, even if those cloud services are not a primary strategy for your information technology (IT). To mitigate cloud computing security risks, there are three best practices that all organizations should work toward:

DevSecOps processes — DevOps and DevSecOps have repeatedly been demonstrated to improve code quality and reduce exploits and vulnerabilities, and increase the speed of application development and feature deployment. Integrating development, QA, and security processes within the business unit or application team—instead of relying on a stand-alone security verification team—is crucial to operating at the speed today’s business environment demands.

Automated application deployment and management tools — The shortage of security skills, combined with the increasing volume and pace of security threats, means that even the most experienced security professional cannot keep up. Automation that removes mundane tasks and augments human advantages with machine advantages is a fundamental component of modern IT operations.

Unified security with centralized management across all services and providers — No one product or vendor can deliver everything, but multiple management tools make it too easy for something to slip through. A unified management system with an open integration fabric reduces complexity by bringing the parts together and streamlining workflows.

Finally, when trade-off decisions must be made, better visibility should be the No. 1 priority, not greater control. It is better to be able to see everything in the cloud, than to attempt to control an incomplete portion of it.